Latest Android Security Flaw – a Real Scare or Just a Hiccup

You probably have seen reports about a massive latest Android security flaw affecting almost all Android devices that have been released in last four years – that’s a complete industry on stake! But is that flaw a real threat to your information or simply a little hiccup?

Bluebox, a new mobile security startup, uncovered a vulnerability in Android app packages (apk). It is about the way apks are verified as secure. According to Bluebox research, this Android flaw makes 99% of Android devices vulnerable to hackers who can modify apk without breaking an application’s cryptographic signature. That essentially means that the code of such files could be altered in secret without the user knowing it. It can practically read your data, get your passwords, control any function of the phone, or even make your Android device part of a wider botnet without you knowing about it – like a trojan.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

But is it really that bad? I mean, 99%?

Advertisements

Actually you might just be safe even with this hackers’ heaven kind of news bit. Why? In February this year, Bluebox quietly disclosed this flaw to Google keeping in line with good security research procedures. Listed as Android security bug 8219321, Google has had over four months to get the device manufacturers release firmware updates to fix this vulnerability. After a couple of months of that information, Google had banned Play Store apps from updating outside the Play Store update mechanisms. Which should keep most users safe. VentureBeat also shared that Google has added checks in Google Play to guard against any of this type of attack keeping Google Play users safe.

The problem comes for those users who use third-party Android app market places – many do that considering Play Store being understocked in many countries and also to access the unauthorized content. Those users would be at the mercy of their markets and OEMs.

Note: in late July, at the upcoming hackers’ conference – the Blackhat USA 2013 security conference – Bluebox will release proofs-of-concept of its exploits for each device vendor.